ESET Reveals Further Facts about OS X Flashback Trojan, the Most Widespread Mac Malware to Date

ESET has performed a deeper investigation into the OS X Flashback Trojan on Apple Macs and come up with some interesting facts you might want to consider in order to protect your day-to-day use of Macs at work and home.

OSX/Flashback is, by far, the most widespread malware we have seen targeting Mac systems. During our investigation, ESET saw hundreds of thousands of infected systems forming a large botnet. We first added detection for OSX/Flashback in September 2011. A real spike in infection started in March 2012, when this threat started propagating by exploiting vulnerability in the Java interpreter shipped with Apple’s OS X. During the first days of April, we deployed monitoring systems to gain a better understanding of the size of the infected population. Just a couple of weeks after that, at the beginning of May 2012, the last C&C (command and control) server used to manage the botnet of infected machines went offline. Since then, we can say that the botnet is effectively dead.

ESET decided to investigate the OSX/Flashback malware for several reasons. First, it uses novel techniques to spy on users when they are browsing the web. This malware also makes use of multiple methods to connect to its C&C server for redundancy, including dynamically generating domain names and searching for hashtags on Twitter. Finally, the scale of the infection made it very interesting, because a botnet of hundreds of thousands of infected Macs is unprecedented.

Various teams at ESET participated in the investigation. At our Bratislava headquarters, one team created a generic detection algorithm for the bot, while teams in Prague and Montreal reverse engineered the OS X code.

ESET’s primary objective has always been the mitigation of threats, and given the scale of OSX/Flashback, we needed to perform two activities: First we wanted to inform users about this malware so they could check their systems and, if infected, clean them. Second, we collaborated with others in the security industry to register as many of the domain names created by the bot’s domain name generation algorithm as possible, thus preventing the botnet master from sending update commands to already-infected systems.

The infographic below highlights statistics from the top affected countries in order to give you a better idea of the scope of the spread of the Flashback Trojan worldwide, and clearly shows the value of adding an additional layer of protection to Mac OS X systems.

Flashback infected more than 500 000 Macs. Pierre-Marc Bureau, ESET Senior Malware Researcher and Security Intelligence Program Manager, involved in the research, talks about the investigation and further research in the Mac malware area. Watch the video here